Are you interested in SOC services but unsure what will be asked from you if internal control deficiencies are found? We all know the scary words qualification or misstatement, but what about the less scary but still important term: deficiency. This is also known as “finding” or “gap” and a deficiency can also be an “exception.” In this article, we’ll discuss the general process of deficiency analysis and the questions that will arise from the finding.
Every environment is different and so is every deficiency, but there are some questions that can gather the necessary information to kick off your deficiency analysis.
- What is an audit deficiency?
- How do we define our exposure risk?
- How do we address an unmitigated risk?
- What caused the deficiency?
- What if there are multiple deficiencies?
- How do we fix the audit deficiency?
- When does the auditor retest the process?
- How will a deficiency show up in my report?
- Who is responsible for finding deficiencies?
What is an Audit Deficiency?
A deficiency occurs when the design or operation of a control does not perform as it’s intended. There are a series of steps and considerations when evaluating an internal control deficiency.
To help provide an understanding of this process, I’ll use an example deficiency as we walk through the following considerations.
Example audit deficiency: On 4/1/21, a user was provisioned inappropriate access (administrator role) compared to what is required for their job responsibilities.
How Do We Define Exposure Risk?
This is one of the many times risk matrices are beneficial. When a deficiency occurs, an up-to-date risk matrix will highlight the risks that were mitigated by the [now deficient] control. We need to mitigate those risks. From our example, we can mitigate the risk around this user by immediately removing the inappropriate access. The action of removing the user’s inappropriate access allows us to define the “exposure risk” period. In this case, the period would be from the date the inappropriate access began, on 4/1/21, through the date the inappropriate access was removed.
How Do We Address An Unmitigated Risk?
The exposure risk is a period of unknown time where the user could have inappropriately accessed roles they were not supposed to have and performed malicious actions. This level of risk can also be assessed based on the type of inappropriate access provisioned. There is a higher risk around administrator role with production access vs. a user with general read-only access.
Ease of mitigation will be based on the system configurations and if activity logging is enabled and retained. For our example deficiency, we can look at their last login date to the network or the account as they may not have logged in during the exposure risk period. Activity logs are also beneficial for mitigating this deficiency to determine precise actions that were performed if the user did access their account during the exposure period.
The auditor may ask you about compensating controls for this deficiency. These are usually going to be detective controls that would enhance risk mitigation, such as user access reviews and activity log reviews. Keep in mind that knowledge base and competency cannot be a control. If the user doesn’t have the background to exploit the inappropriate access this does not completely remove the risk around the deficiency.
What Caused the Deficiency?
We removed the inappropriate access and determined that the person didn’t do anything – this is fixed, right? Not yet. To properly remediate a deficiency, we need to understand how the deficiency occurred in the first place; what is the root cause? Maybe the approving manager didn’t understand the extent of the roles? Could it be a simple case of human error that accidentally selected excessive access when granting it in the system? Was the initial request unclear or illegible and the provisioner didn’t have time to clarify? Understanding the root cause is crucial to ensuring a proper remediation plan.
What If There Are Multiple Deficiencies?
When multiple deficiencies occur within the environment an aggregation assessment is performed to determine if the deficiencies, when combined, rise to a conclusion higher than a deficiency. Multiple deficiencies may jeopardize objectives in a SOC 1 report or the criteria in a SOC 2 report.
How Do We Fix the Audit Deficiency?
The roadmap of your remediation should consider the action required by management to prevent the deficiency from occurring again. For example, if the root cause is human error, management could retrain the relevant employees to help them gain an understanding of why it’s important to provide the right access. Could the entire provisioning process be improved? The roadmap should also include the timing of when management would like the updates executed. Depending on the severity of the deficiency, management may need to consider elevating the knowledge of the deficiency to the BOD or Executive Management Team.
When Does the Auditor Retest the Process?
Management is encouraged to independently test the updated process prior to walking the auditor through it. Once management confirms the process has been remediated, the auditor will perform formal testing post-remediation to arrive at an updated conclusion. A conclusion from remediation will not overwrite a deficient conclusion, however, it can help by narrowing down the period of time the deficiency was open within the report.
How Will a Deficiency Show Up In My Report?
Section IV of the SOC report includes control conclusions. The control which failed will be identified noting a testing exception. Prior to conducting a SOC report, there is an option for readiness testing, which will determine if there are gaps within the environment and will allow the client to remediate the gaps prior to the beginning of the audit period.
Who Is Responsible for Finding Deficiencies?
Deficiencies can be found by anyone within the company. All employees and contractors need to be empowered and provided policies for when they find deficiencies or inconsistencies within the environment to elevate the findings to the correct individual(s). When someone within the company identifies a deficiency, it is best to bring it up with your auditor as soon as possible.
Your auditor will most likely find it regardless and you can save yourself time and budget by pointing it out early on. Delaying discussions around known deficiencies may delay the issuance of your report. While deficiencies can also be found by auditors, auditors provide reasonable assurance, not absolute assurance for an environment.
Hopefully, this article helps you feel prepared to know what to expect when a deficiency is found within your environment. Your service auditor should be well versed in the audit requirements but also prepared to provide guidance when deficiencies are found. If you have questions on SOC 1 or SOC 2 audits, please contact us and request a consultation.
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.